The recording of communications, such as telephone conversation has been readily utilized in law enforcement and legal transactions. Ensuring the authenticity of recording to make certain that they cannot be repudiated is essential. The identification of the parties involved in the communication has been typically provided by extrinsic evidence and is not integrated as part of the communication recording. The media utilized for recording and storage are generally unsecured and provide opportunity for tampering or altering the content raising the possibility that the content can be repudiated.
The growth of electronic data communications over media such as the Internet has presented new challenges in ensuring the integrity of communications, particularly when it comes to providing a non-repudiatable record of the communication. The growth of broadband data networks and data based communication media such as mobile phones, voice-over-IP (VOIP) systems, text messaging systems, and video conference systems expands the means by which legal transactions may occur for which there is a need for ensuring that an authenticated record is captured. However, these media provide limited ability to verify the authenticity or ensure the integrity of the communication for the transacting parties or users.
In situations where the digital data communication is captured for storage, the spectre of tampering with little or no possibility of detection brings into question the validity and authenticity of the record, particularly when the communication is of a legal nature. For example, current legal practices typically require a signature on a document transmitted by facsimile for authentication, a practice which has become less secure with current digital imaging technology and the ability to tamper with the document.
In addition, when an important real-time communication occurs, such as a voice call, in which capture of the conversation is beneficial, the onus is placed upon one of the transacting parties to ensure the communication is captured appropriately. Without the appropriate safeguards the captured data is open to modification, potentially leaving the integrity of the data and the responsible party open to question.
The process of sending data over broadband networks, such as Internet Protocol (IP) networks, has led to the development of encryption and user identification techniques such as private/public-key cryptography and digital signatures. These techniques provide important security tools to ensure that data is non-repudiatable, wherein the user is associated with a given set of data and the signer cannot deny participation with the signature. A trusted third party may manage and control the digital signature remotely from the parties involved in the communication. Similarly the use of digital signatures in data files provides a way of identifying the originating party of the file with some confidence. Both methods are applicable only to non-real-time data communication typical of e-mail or file based communication applications. These methods cannot be applied to real-time communications.
A digital signature associates a digital or numerical code with a set of electronic data. The code is generated using a private key that uniquely identifies the person that is approving the contents of the data. To create a digital signature, an encryption process, such as DES or Triple DES or AES (Advanced Encryption Standard) for example, is utilized with a private key to encrypt a hash of the data set. The hash, is a number generated from a string of data which is substantially smaller than the text itself. The hash is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash. In the United States, the National Institute of Standards has approved certain digital signature algorithms. The private key is associated with a given user. Thereafter, a public key which corresponds to the private key can be utilized to decrypt the encrypted data to arrive at the original data set. The use of a public private key pair is such that one of the two keys is used to encrypt the data stream and the other key is required to decrypt it. By this process a public key can be used to encrypt a stream and only the holder of the private key can decrypt that stream. Conversely, a private key can be used to encrypt a digital data stream and any person can verify the authenticity of that data stream by ascertaining that a publicly available (published) public key can decrypt that stream. For all practical purposes, it is considered impossible to create a digital stream that can be decrypted with a particular public key, except with the use of the associated private key, using well established published algorithms.
Digital signatures provide security benefits of identification and authentication plus data integrity to arrive at non-repudiation. The identity of the signing person of a transaction is known and can be proven to a third party. The signature is linked to the user. The signature is also linked to the data being signed such that if the data is changed, the signature is invalidated. For non-repudiation, the signing party cannot deny having signed the transaction inasmuch as the signature is linked to the user and the data. The use of digital signatures has been limited to non-real-time transactions such as sending document or files via e-mail or other file transfer methods and has not been applicable to real-time or quasi-real-time communications.
The use of various digital communication media to send real-time or quasi (near) real-time data communications, such as voice, video and data have limited the ability to verify the authenticity of the communication and the participants involved. Security and authentication solutions have been implemented in the communication device, or at the user access point itself, increasing device complexity and compatibility issues, which hinder adoption. A telecommunications service provider's underlying data network, in addition to the growing integration of the Internet and the Public Switched Telephone Network (PSTN) provides the opportunity for capturing and storing all kinds of streaming data communications.
Therefore, there exists a need to provide for the generation of a non-repudiatable record of a real-time or quasi-real time communication session.